diff --git a/.azure-pipelins/build-template.yml b/.azure-pipelins/build-template.yml index 7714ba9..1eac14d 100644 --- a/.azure-pipelins/build-template.yml +++ b/.azure-pipelins/build-template.yml @@ -25,6 +25,9 @@ jobs: /tmp/docker exec -t -u 0 ci-container \ sh -c "apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::="--force-confold" -y install sudo" displayName: 'Install Sudo in container' + - script: | + sudo rm -rf $(ls -A1) + displayName: 'Clean Workspace' - script: | sudo mkdir -p $HOME sudo chown $USER $HOME @@ -56,11 +59,39 @@ jobs: git submodule update --init -- jitterentropy-library displayName: 'Checkout Symcrypt submodules' - script: | + set -ex set -ex sudo mkdir -p $HOME + sudo mkdir -p /etc/fips sudo pip3 install -r src/SymCrypt/scripts/requirements.txt + ARCH=${{ parameters.arch }} make symcrypt + sudo dpkg -i target/symcrypt-openssl*.deb + displayName: 'Build and install symcrypt' + - script: | + set -ex + ARCH=${{ parameters.arch }} make openssl + sudo dpkg -i target/libssl*.deb target/openssl*.deb + displayName: 'Build and install openssl' + - script: | + set -ex + + echo 1 | sudo tee /etc/fips/fips_enable + pushd src/openssl + git clean -xdf + git checkout -- . + popd + + ARCH=${{ parameters.arch }} TARGET_PATH=target-test make openssl + condition: always() + displayName: 'Test openssl with fips enabled' + + - script: | ARCH=${{ parameters.arch }} make all - displayName: 'Build' + displayName: 'Build others' - publish: $(System.DefaultWorkingDirectory)/target artifact: fips-symcrypt-${{ parameters.arch }} displayName: "Archive packages" + - publish: $(Build.ArtifactStagingDirectory) + condition: failed() + artifact: '$fips-symcrypt-${{ parameters.arch }}-(System.JobAttempt)' + displayName: "Archive failed packages" diff --git a/.gitignore b/.gitignore index eb5a316..0eb7d3f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ target +target.test diff --git a/Makefile b/Makefile index 4183e88..5d294ee 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,7 @@ SHELL = /bin/bash ARCH ?= amd64 SRC_PATH = src RULES_PATH = rules -TARGET_PATH = target +TARGET_PATH ?= target ROOT := $(shell pwd) DEST = $(ROOT)/$(TARGET_PATH) @@ -32,9 +32,14 @@ all: $(MAIN_TARGET_LIST) list: @$(foreach target,$(MAIN_TARGET_LIST),echo $(target);) +symcrypt : $(TARGET_PATH)/$(SYMCRYPT_OPENSSL) + +openssl: $(TARGET_PATH)/$(OPENSSL) + $(addprefix $(TARGET_PATH)/, $(MAIN_TARGETS)) : $(TARGET_PATH)/% : $$(addprefix $(TARGET_PATH)/,$$($$*_DEPENDS)) # Remove target to force rebuild rm -f $(addprefix $(TARGET_PATH)/, $*) + mkdir -p $(TARGET_PATH) # Run pre script if [ -n "$($*_PRE_SCRIPT)" ]; then :;$($*_PRE_SCRIPT) fi # Copy debian folder @@ -42,8 +47,17 @@ $(addprefix $(TARGET_PATH)/, $(MAIN_TARGETS)) : $(TARGET_PATH)/% : $$(addprefix # Apply series of patches if exist if [ -f $($*_SRC_PATH).patch/series ]; then pushd $($*_SRC_PATH) && QUILT_PATCHES=../$(notdir $($*_SRC_PATH)).patch quilt push -a && mv .pc .pc1; popd; fi if [ -n "$($*_PATCH_EXT)" ]; then pushd $($*_SRC_PATH); QUILT_PATCHES=$($*_PATCH_EXT) quilt push -a && mv .pc .pc2; popd; fi + # Merge the debian patches if not applied + if [ -f $($*_SRC_PATH).patch/debian.patch/series ]; then + LAST_PATCH=$$(tail -n1 $($*_SRC_PATH).patch/debian.patch/series) + if ! grep -q $$LAST_PATCH $($*_SRC_PATH)/debian/patches/series 2>/null; then + echo "Applying patches for $($*_SRC_PATH)/debian/patches/" + cat $($*_SRC_PATH).patch/debian.patch/series >> $($*_SRC_PATH)/debian/patches/series + cp $($*_SRC_PATH).patch/debian.patch/*.patch $($*_SRC_PATH)/debian/patches/ + fi + fi if [ -n "$($*_MAKEFILE)" ]; then - $($*_BUILD_OPTIONS) make -C $($*_SRC_PATH) -f $($*_MAKEFILE) $(DEST)/$* + $($*_BUILD_OPTIONS) make -C $($*_SRC_PATH) -f $($*_MAKEFILE) $(DEST)/$* | tee $(DEST)/$*.log elif [ -f $($*_SRC_PATH)/debian/control ]; then pushd $($*_SRC_PATH) VERSION=$$(dpkg-parsechangelog --show-field Version) @@ -52,7 +66,7 @@ $(addprefix $(TARGET_PATH)/, $(MAIN_TARGETS)) : $(TARGET_PATH)/% : $$(addprefix fi # Fix Misc/NEWS not found issue for python if [[ "$*" == python3* ]]; then touch Misc/NEWS; fi - $($*_BUILD_OPTIONS) dpkg-buildpackage -b -d -rfakeroot -us -uc + $($*_BUILD_OPTIONS) dpkg-buildpackage -b -d -rfakeroot -us -uc | tee $(DEST)/$*.log popd mkdir -p $(DEST) mv -f $(addprefix $($*_SRC_PATH)/../, $* $($*_DERIVED_DEBS)) $(DEST)/ diff --git a/rules/openssl.mk b/rules/openssl.mk index d2f96c0..0a912c8 100644 --- a/rules/openssl.mk +++ b/rules/openssl.mk @@ -4,6 +4,7 @@ OPENSSL_VERSION = 1.1.1k-1+deb11u1 OPENSSL_VERSION_FIPS = $(OPENSSL_VERSION)+fips OPENSSL = openssl_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb $(OPENSSL)_SRC_PATH = $(SRC_PATH)/openssl +$(OPENSSL)_BUILD_OPTIONS = LDLIBS="-lsymcryptengine" MAIN_TARGETS += $(OPENSSL) $(OPENSSL)_DERIVED_DEBS = libssl1.1_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb diff --git a/src/SymCrypt-OpenSSL-Debian/Makefile b/src/SymCrypt-OpenSSL-Debian/Makefile index 2b58e0c..288b50c 100644 --- a/src/SymCrypt-OpenSSL-Debian/Makefile +++ b/src/SymCrypt-OpenSSL-Debian/Makefile @@ -20,6 +20,7 @@ LIB_INSTALL_NAME = arm-linux-gnueabihf endif INSTALL_PATH = $(BUILD_ROOT_DIR)/usr/lib/$(LIB_INSTALL_NAME) +ENGINES_PATH = $(INSTALL_PATH)/engines-1.1 DEBIAN_DIR = $(BUILD_ROOT_DIR)/DEBIAN ROOT_PATH = $(shell realpath $(shell pwd)/../..) @@ -56,10 +57,13 @@ $(LIBSYMCRYPTENGINE): $(LIBSYMCRYPT) $(TARGET): $(DEPENDS) mkdir -p $(INSTALL_PATH) + mkdir -p $(ENGINES_PATH) mkdir -p $(DEBIAN_DIR) mkdir -p $(BUILD_ROOT_DIR)/usr/lib/ssl cp -a $(DEST)/libsymcrypt.so* $(INSTALL_PATH)/ cp $(LIBSYMCRYPTENGINE) $(INSTALL_PATH) + ln -sf $(shell basename $(LIBSYMCRYPTENGINE)) $(INSTALL_PATH)/symcryptengine.so + ln -sf ../$(shell basename $(LIBSYMCRYPTENGINE)) $(ENGINES_PATH)/symcryptengine.so chmod o+r $(INSTALL_PATH)/* cp -rf debian/* $(DEBIAN_DIR)/ cp openssl.cnf $(BUILD_ROOT_DIR)/usr/lib/ssl/openssl-fips.cnf diff --git a/src/openssl.patch/10-support-fips-mode.patch b/src/openssl.patch/10-support-fips-mode.patch index 5812130..deceb05 100644 --- a/src/openssl.patch/10-support-fips-mode.patch +++ b/src/openssl.patch/10-support-fips-mode.patch @@ -1,8 +1,76 @@ diff --git a/crypto/init.c b/crypto/init.c -index 1b0d523bea..af171bda16 100644 +index 1b0d523bea..31fbd42cd2 100644 --- a/crypto/init.c +++ b/crypto/init.c -@@ -612,6 +612,70 @@ void OPENSSL_cleanup(void) +@@ -404,6 +404,67 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_afalg) + # endif + #endif + ++# ifndef OPENSSL_NO_SYMCRYPT_ENGINE ++static CRYPTO_ONCE engine_symcrypt = CRYPTO_ONCE_STATIC_INIT; ++DEFINE_RUN_ONCE_STATIC(ossl_init_engine_symcrypt) ++{ ++ int ret = 0; ++ ++ // Get the default engine directory from the environment - may be NULL ++ char* load_dir = ossl_safe_getenv("OPENSSL_ENGINES"); ++ ++ #ifdef ENGINESDIR ++ // Use the default engines directory, if defined ++ if(load_dir == NULL) ++ { ++ load_dir = ENGINESDIR; ++ } ++ #endif ++ ++ ENGINE *dynamic = NULL; ++ ENGINE *symcrypt = NULL; ++ ++ dynamic = ENGINE_by_id("dynamic"); ++ if (!dynamic) ++ goto err; ++ ++ // Add the engines directory to the list of directories to load from and specify that loading ++ // from the directory list is mandatory (via DIR_LOAD = 2). Otherwise OpenSSL will try to load ++ // the engine from the default ld search path, fail, and skip loading from the engines dir. ++ if (!ENGINE_ctrl_cmd_string(dynamic, "DIR_ADD", load_dir, 0)) ++ goto err; ++ if (!ENGINE_ctrl_cmd_string(dynamic, "DIR_LOAD", "2", 0)) ++ goto err; ++ if (!ENGINE_ctrl_cmd_string(dynamic, "SO_PATH", "symcryptengine.so", 0)) ++ goto err; ++ if (!ENGINE_ctrl_cmd_string(dynamic, "ID", "symcrypt", 0)) ++ goto err; ++ if (!ENGINE_ctrl_cmd_string(dynamic, "LIST_ADD", "2", 0)) ++ goto err; ++ if (!ENGINE_ctrl_cmd_string(dynamic, "LOAD", NULL, 0)) ++ goto err; ++ ++ symcrypt = ENGINE_by_id("symcrypt"); ++ if (!symcrypt) ++ goto err; ++ ++ // Make SymCrypt the default engine for all algorithms ++ if (!ENGINE_set_default_string(symcrypt, "ALL")) ++ goto err; ++ ++err: ++ ENGINE_free(symcrypt); ++ ENGINE_free(dynamic); ++ ++# ifdef OPENSSL_INIT_DEBUG ++ fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_symcrypt: %d\n", ++ ret); ++# endif ++ ++ return ret; ++} ++# endif ++ + #ifndef OPENSSL_NO_COMP + static CRYPTO_ONCE zlib = CRYPTO_ONCE_STATIC_INIT; + +@@ -612,6 +673,72 @@ void OPENSSL_cleanup(void) base_inited = 0; } @@ -54,8 +122,10 @@ index 1b0d523bea..af171bda16 100644 + return enabled; +} + -+// Check if fips is enabled -+int ossl_fips_enabled(){ ++// Init fips config ++static CRYPTO_ONCE fips_config = CRYPTO_ONCE_STATIC_INIT; ++DEFINE_RUN_ONCE_STATIC(ossl_init_fips_conf) ++{ + g_fips_mode_enabled = 0; + if (ossl_fips_enabled_by_cmd() > 0){ + g_fips_mode_enabled = 1; @@ -67,26 +137,30 @@ index 1b0d523bea..af171bda16 100644 + return 1; + } + -+ return 0; ++ return 1; +} + /* * If this function is called with a non NULL settings value then it must be * called prior to any threads making calls to any OpenSSL functions, -@@ -625,6 +689,13 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) +@@ -723,9 +850,14 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) + && !RUN_ONCE(&engine_rdrand, ossl_init_engine_rdrand)) return 0; - } - -+ if (g_fips_mode_enabled == -1) { -+ int fips_enabled = ossl_fips_enabled(); -+ if (fips_enabled) { -+ setenv("OPENSSL_CONF", FIPS_OPENSSL_CONFIG, 1); -+ } + # endif +- if ((opts & OPENSSL_INIT_ENGINE_DYNAMIC) +- && !RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic)) +- return 0; ++ if (opts & OPENSSL_INIT_ENGINE_DYNAMIC) ++ { ++ if (!RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic)) ++ return 0; ++ RUN_ONCE(&fips_config, ossl_init_fips_conf); ++ if (g_fips_mode_enabled == 1) ++ RUN_ONCE(&engine_symcrypt, ossl_init_engine_symcrypt); + } -+ - /* - * When the caller specifies OPENSSL_INIT_BASE_ONLY, that should be the - * *only* option specified. With that option we return immediately after + # ifndef OPENSSL_NO_STATIC_ENGINE + # if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK) + if ((opts & OPENSSL_INIT_ENGINE_PADLOCK) diff --git a/crypto/o_fips.c b/crypto/o_fips.c index 050ea9c216..6e9ffdb1d9 100644 --- a/crypto/o_fips.c diff --git a/src/openssl.patch/debian.patch/20-support-fips-test.patch b/src/openssl.patch/debian.patch/20-support-fips-test.patch new file mode 100644 index 0000000..d6b4915 --- /dev/null +++ b/src/openssl.patch/debian.patch/20-support-fips-test.patch @@ -0,0 +1,72 @@ +diff --git a/test/build.info b/test/build.info +index bc3dae81f9..0c91cc297b 100644 +--- a/test/build.info ++++ b/test/build.info +@@ -14,7 +14,7 @@ IF[{- !$disabled{tests} -}] + testutil/format_output.c testutil/tap_bio.c \ + testutil/test_cleanup.c testutil/main.c testutil/testutil_init.c \ + testutil/random.c +- INCLUDE[libtestutil.a]=../include ++ INCLUDE[libtestutil.a]=../include ../../SymCrypt-OpenSSL/SymCryptEngine/inc + DEPEND[libtestutil.a]=../libcrypto + + # Special hack for descrip.mms to include the MAIN object module +diff --git a/test/testutil/main.c b/test/testutil/main.c +index d3ccdda391..82232733c8 100644 +--- a/test/testutil/main.c ++++ b/test/testutil/main.c +@@ -11,6 +11,7 @@ + #include "internal/nelem.h" + #include "output.h" + #include "tu_local.h" ++#include "scossl.h" + + #include + +@@ -47,6 +48,13 @@ int main(int argc, char *argv[]) + + setup_test_framework(); + ++ if (!SCOSSL_ENGINE_Initialize()) ++ { ++ test_printf_stderr("SCOSSL init failed - aborting\n"); ++ return ret; ++ } ++ ++ + if (setup_tests()) + ret = run_tests(argv[0]); + cleanup_tests(); +diff --git a/engines/e_ossltest.c b/engines/e_ossltest.c +index 64376247c3..70c8b62a68 100644 +--- a/engines/e_ossltest.c ++++ b/engines/e_ossltest.c +@@ -319,6 +319,10 @@ static int bind_ossltest(ENGINE *e) + return 0; + } + ++ ENGINE* scossl = ENGINE_by_id("symcrypt"); ++ ENGINE_unregister_pkey_meths(scossl); ++ ENGINE_free(scossl); ++ + return 1; + } + +diff --git a/crypto/engine/eng_all.c b/crypto/engine/eng_all.c +index b675ed7892..67240e8a20 100644 +--- a/crypto/engine/eng_all.c ++++ b/crypto/engine/eng_all.c +@@ -10,6 +10,13 @@ + #include "internal/cryptlib.h" + #include "eng_local.h" + ++__attribute__((constructor)) ++void ENGINE_static_initializer(void) ++{ ++ OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_DYNAMIC, NULL); ++} ++ ++ + void ENGINE_load_builtin_engines(void) + { + /* Some ENGINEs need this */ diff --git a/src/openssl.patch/debian.patch/30-disable-some-evppkey-tests-for-fips.patch b/src/openssl.patch/debian.patch/30-disable-some-evppkey-tests-for-fips.patch new file mode 100644 index 0000000..9fa994b --- /dev/null +++ b/src/openssl.patch/debian.patch/30-disable-some-evppkey-tests-for-fips.patch @@ -0,0 +1,134 @@ +diff --git a/test/recipes/30-test_evp_data/evppkey.txt b/test/recipes/30-test_evp_data/evppkey.txt +index c3947cb000..6d879344dc 100644 +--- a/test/recipes/30-test_evp_data/evppkey.txt ++++ b/test/recipes/30-test_evp_data/evppkey.txt +@@ -186,11 +186,11 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2 + Result = VERIFY_ERROR + + # parameter is not NULL +-Verify = RSA-2048 +-Ctrl = digest:sha1 +-Input = "0123456789ABCDEF1234" +-Output = 3ec3fc29eb6e122bd7aa361cd09fe1bcbe85311096a7b9e4799cedfb2351ce0ab7fe4e75b4f6b37f67edd9c60c800f9ab941c0c157d7d880ca9de40c951d60fd293ae220d4bc510b1572d6e85a1bbbd8605b52e05f1c64fafdae59a1c2fbed214b7844d0134619de62851d5a0522e32e556e5950f3f97b8150e3f0dffee612c924201c27cd9bc8b423a71533380c276d3d59fcba35a2e80a1a192ec266a6c2255012cd86a349fe90a542b355fa3355b04da6cdf1df77f0e7bd44a90e880e1760266d233e465226f5db1c68857847d82072861ee266ddfc2e596845b77e1803274a579835ab5e4975d81d20b7df9cec7795489e4a2bdb8c1cf6a6b359945ac92c +-Result = VERIFY_ERROR ++#Verify = RSA-2048 ++#Ctrl = digest:sha1 ++#Input = "0123456789ABCDEF1234" ++#Output = 3ec3fc29eb6e122bd7aa361cd09fe1bcbe85311096a7b9e4799cedfb2351ce0ab7fe4e75b4f6b37f67edd9c60c800f9ab941c0c157d7d880ca9de40c951d60fd293ae220d4bc510b1572d6e85a1bbbd8605b52e05f1c64fafdae59a1c2fbed214b7844d0134619de62851d5a0522e32e556e5950f3f97b8150e3f0dffee612c924201c27cd9bc8b423a71533380c276d3d59fcba35a2e80a1a192ec266a6c2255012cd86a349fe90a542b355fa3355b04da6cdf1df77f0e7bd44a90e880e1760266d233e465226f5db1c68857847d82072861ee266ddfc2e596845b77e1803274a579835ab5e4975d81d20b7df9cec7795489e4a2bdb8c1cf6a6b359945ac92c ++#Result = VERIFY_ERROR + + # embedded digest too long + Verify = RSA-2048 +@@ -285,59 +285,59 @@ Output = 6c13511f97ffb8137545fce551a43cf2b5b3dbdd5c3ceaaccd4620a6a373f3c38cc523d + Result = VERIFY_ERROR + + # DigestInfo-wrapped MDC-2 signature +-Verify = RSA-2048 +-Ctrl = digest:MDC2 +-Input = "0123456789ABCDEF" +-Output = 3a46e5e80635d3b5586187b44b08fd02ca0bd36a637a8afeb46a1c1eb18d05b3196e00edf85378109015bcd3d0cfcefc2919c5b8e3ac42884b360188b1395ed34df7d2749f36b91c320d290311d78b36f390481eff42ace0275385c05176d022e4b625cf0ed85082d4b25da9e8a86011f6ac1cb8d8b812cc2bbd6c240caa8445aa74f8e971c935dbf3447df0411eb9e5cdee0851d1e0fea7041916c77efc09dc54e8dd4b7ba8f8d85ef43d4f12abde99886f4ebd5f021fc1b476cc23dc6a94fbbe77c954eee496fb6b4b5c534daa4e819143ce8de511a8bcb65759750c17edaca6fb31ac271c1ca3a27705f780ae86c67009e76fcba9067dde3556ff59c44111 +- +-VerifyRecover = RSA-2048 +-Ctrl = digest:MDC2 +-Input = 3a46e5e80635d3b5586187b44b08fd02ca0bd36a637a8afeb46a1c1eb18d05b3196e00edf85378109015bcd3d0cfcefc2919c5b8e3ac42884b360188b1395ed34df7d2749f36b91c320d290311d78b36f390481eff42ace0275385c05176d022e4b625cf0ed85082d4b25da9e8a86011f6ac1cb8d8b812cc2bbd6c240caa8445aa74f8e971c935dbf3447df0411eb9e5cdee0851d1e0fea7041916c77efc09dc54e8dd4b7ba8f8d85ef43d4f12abde99886f4ebd5f021fc1b476cc23dc6a94fbbe77c954eee496fb6b4b5c534daa4e819143ce8de511a8bcb65759750c17edaca6fb31ac271c1ca3a27705f780ae86c67009e76fcba9067dde3556ff59c44111 +-Output = "0123456789ABCDEF" +- +-# Legacy OCTET STRING MDC-2 signature +-Verify = RSA-2048 +-Ctrl = digest:MDC2 +-Input = "0123456789ABCDEF" +-Output = 6cde46bbfc6a3b772c3d884640709be9f2fb70fcf199c14eaff7811369ea99733f984a9c48cd372578fa37cedeef24c93286d6d64f438df051e625ab2e125a7d9974a76240873e43efc3acbcbdccc2ee63769cdbf983b334ccb982273315c222b3bbdc3e928ac8a141a7412f1f794cfcabcc069a2ae4975d7bb68bea145d789634c9e0b02d324b5efd599c9bf2b1d32d077aba59aa0ad4a82cbbb90eaa9214e4f57104cf049c4139e2ddecf6edf219cd986f4d79cf25128c58667562c9d22be0291430d6cc7dad977d56e08315fcec133ea95d8db550f89735b4d5f233eaff0c86fce2b99f3f508e920f882c31f3e13f8775a3c8fa585c4f4c69eca89f648b7e +- +-VerifyRecover = RSA-2048 +-Ctrl = digest:MDC2 +-Input = 6cde46bbfc6a3b772c3d884640709be9f2fb70fcf199c14eaff7811369ea99733f984a9c48cd372578fa37cedeef24c93286d6d64f438df051e625ab2e125a7d9974a76240873e43efc3acbcbdccc2ee63769cdbf983b334ccb982273315c222b3bbdc3e928ac8a141a7412f1f794cfcabcc069a2ae4975d7bb68bea145d789634c9e0b02d324b5efd599c9bf2b1d32d077aba59aa0ad4a82cbbb90eaa9214e4f57104cf049c4139e2ddecf6edf219cd986f4d79cf25128c58667562c9d22be0291430d6cc7dad977d56e08315fcec133ea95d8db550f89735b4d5f233eaff0c86fce2b99f3f508e920f882c31f3e13f8775a3c8fa585c4f4c69eca89f648b7e +-Output = "0123456789ABCDEF" +- +-# Legacy OCTET STRING MDC-2 signature, digest mismatch +-Verify = RSA-2048 +-Ctrl = digest:MDC2 +-Input = "0000000000000000" +-Output = 6cde46bbfc6a3b772c3d884640709be9f2fb70fcf199c14eaff7811369ea99733f984a9c48cd372578fa37cedeef24c93286d6d64f438df051e625ab2e125a7d9974a76240873e43efc3acbcbdccc2ee63769cdbf983b334ccb982273315c222b3bbdc3e928ac8a141a7412f1f794cfcabcc069a2ae4975d7bb68bea145d789634c9e0b02d324b5efd599c9bf2b1d32d077aba59aa0ad4a82cbbb90eaa9214e4f57104cf049c4139e2ddecf6edf219cd986f4d79cf25128c58667562c9d22be0291430d6cc7dad977d56e08315fcec133ea95d8db550f89735b4d5f233eaff0c86fce2b99f3f508e920f882c31f3e13f8775a3c8fa585c4f4c69eca89f648b7e +-Result = VERIFY_ERROR +- +-# Legacy OCTET STRING MDC-2 signature, wrong input digest length +-Verify = RSA-2048 +-Ctrl = digest:MDC2 +-Input = "0123456789ABCDE" +-Output = 6cde46bbfc6a3b772c3d884640709be9f2fb70fcf199c14eaff7811369ea99733f984a9c48cd372578fa37cedeef24c93286d6d64f438df051e625ab2e125a7d9974a76240873e43efc3acbcbdccc2ee63769cdbf983b334ccb982273315c222b3bbdc3e928ac8a141a7412f1f794cfcabcc069a2ae4975d7bb68bea145d789634c9e0b02d324b5efd599c9bf2b1d32d077aba59aa0ad4a82cbbb90eaa9214e4f57104cf049c4139e2ddecf6edf219cd986f4d79cf25128c58667562c9d22be0291430d6cc7dad977d56e08315fcec133ea95d8db550f89735b4d5f233eaff0c86fce2b99f3f508e920f882c31f3e13f8775a3c8fa585c4f4c69eca89f648b7e +-Result = VERIFY_ERROR +- +-# Legacy OCTET STRING MDC-2 signature, wrong signature digest length +-Verify = RSA-2048 +-Ctrl = digest:MDC2 +-Input = "0123456789ABCDEF" +-Output = 08da512483ece70be57f28a75271612800ae30ffbadc62609bc88b80d497a1fc13c300fdfcab6dc80cf55373c10adcc249ae80479b87fa3e391a2cd4a74babd1c22a4976812d544dcd6729b161bbc48fd067cf635b05f9edaddaeb6f67f2117d6b54a23c5e6f08a246abfe0356a67d7f3929306515e6d9962f8ce205120ecdcd2d4e3783cd0b4a1f0196a1b13924d0d3649233312695c3c336ae04e0b1efddabcc878b57622db60f6f747a1124c38426dacf1425c92d304c2bb1052f987c1dd73e4cc4b20d23396d4f05f52f98cf5065c3fb7dc319425f1f6f1878b87f57afbd24fbff98909494581aadd04d80a639b85ce8684ea58409d8dbbbaacf256bb5c4 +-Result = VERIFY_ERROR +- +-VerifyRecover = RSA-2048 +-Ctrl = digest:MDC2 +-Input = 08da512483ece70be57f28a75271612800ae30ffbadc62609bc88b80d497a1fc13c300fdfcab6dc80cf55373c10adcc249ae80479b87fa3e391a2cd4a74babd1c22a4976812d544dcd6729b161bbc48fd067cf635b05f9edaddaeb6f67f2117d6b54a23c5e6f08a246abfe0356a67d7f3929306515e6d9962f8ce205120ecdcd2d4e3783cd0b4a1f0196a1b13924d0d3649233312695c3c336ae04e0b1efddabcc878b57622db60f6f747a1124c38426dacf1425c92d304c2bb1052f987c1dd73e4cc4b20d23396d4f05f52f98cf5065c3fb7dc319425f1f6f1878b87f57afbd24fbff98909494581aadd04d80a639b85ce8684ea58409d8dbbbaacf256bb5c4 +-Result = KEYOP_ERROR +- +-# Legacy OCTET STRING MDC-2 signature, wrong input and signature digest length +-Verify = RSA-2048 +-Ctrl = digest:MDC2 +-Input = "0123456789ABCDE" +-Output = 08da512483ece70be57f28a75271612800ae30ffbadc62609bc88b80d497a1fc13c300fdfcab6dc80cf55373c10adcc249ae80479b87fa3e391a2cd4a74babd1c22a4976812d544dcd6729b161bbc48fd067cf635b05f9edaddaeb6f67f2117d6b54a23c5e6f08a246abfe0356a67d7f3929306515e6d9962f8ce205120ecdcd2d4e3783cd0b4a1f0196a1b13924d0d3649233312695c3c336ae04e0b1efddabcc878b57622db60f6f747a1124c38426dacf1425c92d304c2bb1052f987c1dd73e4cc4b20d23396d4f05f52f98cf5065c3fb7dc319425f1f6f1878b87f57afbd24fbff98909494581aadd04d80a639b85ce8684ea58409d8dbbbaacf256bb5c4 +-Result = VERIFY_ERROR ++#Verify = RSA-2048 ++#Ctrl = digest:MDC2 ++#Input = "0123456789ABCDEF" ++#Output = 3a46e5e80635d3b5586187b44b08fd02ca0bd36a637a8afeb46a1c1eb18d05b3196e00edf85378109015bcd3d0cfcefc2919c5b8e3ac42884b360188b1395ed34df7d2749f36b91c320d290311d78b36f390481eff42ace0275385c05176d022e4b625cf0ed85082d4b25da9e8a86011f6ac1cb8d8b812cc2bbd6c240caa8445aa74f8e971c935dbf3447df0411eb9e5cdee0851d1e0fea7041916c77efc09dc54e8dd4b7ba8f8d85ef43d4f12abde99886f4ebd5f021fc1b476cc23dc6a94fbbe77c954eee496fb6b4b5c534daa4e819143ce8de511a8bcb65759750c17edaca6fb31ac271c1ca3a27705f780ae86c67009e76fcba9067dde3556ff59c44111 ++# ++#VerifyRecover = RSA-2048 ++#Ctrl = digest:MDC2 ++#Input = 3a46e5e80635d3b5586187b44b08fd02ca0bd36a637a8afeb46a1c1eb18d05b3196e00edf85378109015bcd3d0cfcefc2919c5b8e3ac42884b360188b1395ed34df7d2749f36b91c320d290311d78b36f390481eff42ace0275385c05176d022e4b625cf0ed85082d4b25da9e8a86011f6ac1cb8d8b812cc2bbd6c240caa8445aa74f8e971c935dbf3447df0411eb9e5cdee0851d1e0fea7041916c77efc09dc54e8dd4b7ba8f8d85ef43d4f12abde99886f4ebd5f021fc1b476cc23dc6a94fbbe77c954eee496fb6b4b5c534daa4e819143ce8de511a8bcb65759750c17edaca6fb31ac271c1ca3a27705f780ae86c67009e76fcba9067dde3556ff59c44111 ++#Output = "0123456789ABCDEF" ++# ++## Legacy OCTET STRING MDC-2 signature ++#Verify = RSA-2048 ++#Ctrl = digest:MDC2 ++#Input = "0123456789ABCDEF" ++#Output = 6cde46bbfc6a3b772c3d884640709be9f2fb70fcf199c14eaff7811369ea99733f984a9c48cd372578fa37cedeef24c93286d6d64f438df051e625ab2e125a7d9974a76240873e43efc3acbcbdccc2ee63769cdbf983b334ccb982273315c222b3bbdc3e928ac8a141a7412f1f794cfcabcc069a2ae4975d7bb68bea145d789634c9e0b02d324b5efd599c9bf2b1d32d077aba59aa0ad4a82cbbb90eaa9214e4f57104cf049c4139e2ddecf6edf219cd986f4d79cf25128c58667562c9d22be0291430d6cc7dad977d56e08315fcec133ea95d8db550f89735b4d5f233eaff0c86fce2b99f3f508e920f882c31f3e13f8775a3c8fa585c4f4c69eca89f648b7e ++# ++#VerifyRecover = RSA-2048 ++#Ctrl = digest:MDC2 ++#Input = 6cde46bbfc6a3b772c3d884640709be9f2fb70fcf199c14eaff7811369ea99733f984a9c48cd372578fa37cedeef24c93286d6d64f438df051e625ab2e125a7d9974a76240873e43efc3acbcbdccc2ee63769cdbf983b334ccb982273315c222b3bbdc3e928ac8a141a7412f1f794cfcabcc069a2ae4975d7bb68bea145d789634c9e0b02d324b5efd599c9bf2b1d32d077aba59aa0ad4a82cbbb90eaa9214e4f57104cf049c4139e2ddecf6edf219cd986f4d79cf25128c58667562c9d22be0291430d6cc7dad977d56e08315fcec133ea95d8db550f89735b4d5f233eaff0c86fce2b99f3f508e920f882c31f3e13f8775a3c8fa585c4f4c69eca89f648b7e ++#Output = "0123456789ABCDEF" ++# ++## Legacy OCTET STRING MDC-2 signature, digest mismatch ++#Verify = RSA-2048 ++#Ctrl = digest:MDC2 ++#Input = "0000000000000000" ++#Output = 6cde46bbfc6a3b772c3d884640709be9f2fb70fcf199c14eaff7811369ea99733f984a9c48cd372578fa37cedeef24c93286d6d64f438df051e625ab2e125a7d9974a76240873e43efc3acbcbdccc2ee63769cdbf983b334ccb982273315c222b3bbdc3e928ac8a141a7412f1f794cfcabcc069a2ae4975d7bb68bea145d789634c9e0b02d324b5efd599c9bf2b1d32d077aba59aa0ad4a82cbbb90eaa9214e4f57104cf049c4139e2ddecf6edf219cd986f4d79cf25128c58667562c9d22be0291430d6cc7dad977d56e08315fcec133ea95d8db550f89735b4d5f233eaff0c86fce2b99f3f508e920f882c31f3e13f8775a3c8fa585c4f4c69eca89f648b7e ++#Result = VERIFY_ERROR ++# ++## Legacy OCTET STRING MDC-2 signature, wrong input digest length ++#Verify = RSA-2048 ++#Ctrl = digest:MDC2 ++#Input = "0123456789ABCDE" ++#Output = 6cde46bbfc6a3b772c3d884640709be9f2fb70fcf199c14eaff7811369ea99733f984a9c48cd372578fa37cedeef24c93286d6d64f438df051e625ab2e125a7d9974a76240873e43efc3acbcbdccc2ee63769cdbf983b334ccb982273315c222b3bbdc3e928ac8a141a7412f1f794cfcabcc069a2ae4975d7bb68bea145d789634c9e0b02d324b5efd599c9bf2b1d32d077aba59aa0ad4a82cbbb90eaa9214e4f57104cf049c4139e2ddecf6edf219cd986f4d79cf25128c58667562c9d22be0291430d6cc7dad977d56e08315fcec133ea95d8db550f89735b4d5f233eaff0c86fce2b99f3f508e920f882c31f3e13f8775a3c8fa585c4f4c69eca89f648b7e ++#Result = VERIFY_ERROR ++# ++## Legacy OCTET STRING MDC-2 signature, wrong signature digest length ++#Verify = RSA-2048 ++#Ctrl = digest:MDC2 ++#Input = "0123456789ABCDEF" ++#Output = 08da512483ece70be57f28a75271612800ae30ffbadc62609bc88b80d497a1fc13c300fdfcab6dc80cf55373c10adcc249ae80479b87fa3e391a2cd4a74babd1c22a4976812d544dcd6729b161bbc48fd067cf635b05f9edaddaeb6f67f2117d6b54a23c5e6f08a246abfe0356a67d7f3929306515e6d9962f8ce205120ecdcd2d4e3783cd0b4a1f0196a1b13924d0d3649233312695c3c336ae04e0b1efddabcc878b57622db60f6f747a1124c38426dacf1425c92d304c2bb1052f987c1dd73e4cc4b20d23396d4f05f52f98cf5065c3fb7dc319425f1f6f1878b87f57afbd24fbff98909494581aadd04d80a639b85ce8684ea58409d8dbbbaacf256bb5c4 ++#Result = VERIFY_ERROR ++# ++#VerifyRecover = RSA-2048 ++#Ctrl = digest:MDC2 ++#Input = 08da512483ece70be57f28a75271612800ae30ffbadc62609bc88b80d497a1fc13c300fdfcab6dc80cf55373c10adcc249ae80479b87fa3e391a2cd4a74babd1c22a4976812d544dcd6729b161bbc48fd067cf635b05f9edaddaeb6f67f2117d6b54a23c5e6f08a246abfe0356a67d7f3929306515e6d9962f8ce205120ecdcd2d4e3783cd0b4a1f0196a1b13924d0d3649233312695c3c336ae04e0b1efddabcc878b57622db60f6f747a1124c38426dacf1425c92d304c2bb1052f987c1dd73e4cc4b20d23396d4f05f52f98cf5065c3fb7dc319425f1f6f1878b87f57afbd24fbff98909494581aadd04d80a639b85ce8684ea58409d8dbbbaacf256bb5c4 ++#Result = KEYOP_ERROR ++# ++## Legacy OCTET STRING MDC-2 signature, wrong input and signature digest length ++#Verify = RSA-2048 ++#Ctrl = digest:MDC2 ++#Input = "0123456789ABCDE" ++#Output = 08da512483ece70be57f28a75271612800ae30ffbadc62609bc88b80d497a1fc13c300fdfcab6dc80cf55373c10adcc249ae80479b87fa3e391a2cd4a74babd1c22a4976812d544dcd6729b161bbc48fd067cf635b05f9edaddaeb6f67f2117d6b54a23c5e6f08a246abfe0356a67d7f3929306515e6d9962f8ce205120ecdcd2d4e3783cd0b4a1f0196a1b13924d0d3649233312695c3c336ae04e0b1efddabcc878b57622db60f6f747a1124c38426dacf1425c92d304c2bb1052f987c1dd73e4cc4b20d23396d4f05f52f98cf5065c3fb7dc319425f1f6f1878b87f57afbd24fbff98909494581aadd04d80a639b85ce8684ea58409d8dbbbaacf256bb5c4 ++#Result = VERIFY_ERROR + + # Verify using public key + diff --git a/src/openssl.patch/debian.patch/40-disable-test-cases-with-fips-enabled.patch b/src/openssl.patch/debian.patch/40-disable-test-cases-with-fips-enabled.patch new file mode 100644 index 0000000..456bd34 --- /dev/null +++ b/src/openssl.patch/debian.patch/40-disable-test-cases-with-fips-enabled.patch @@ -0,0 +1,149 @@ +diff --git a/test/recipes/05-test_rand.t b/test/recipes/05-test_rand.t +index 3ae254031c..95ebba15f0 100644 +--- a/test/recipes/05-test_rand.t ++++ b/test/recipes/05-test_rand.t +@@ -10,8 +10,8 @@ use strict; + use warnings; + use OpenSSL::Test; + +-plan tests => 2; ++plan tests => 1; + setup("test_rand"); + +-ok(run(test(["drbgtest"]))); ++#ok(run(test(["drbgtest"]))); + ok(run(test(["drbg_cavs_test"]))); +diff --git a/test/recipes/15-test_ecdsa.t b/test/recipes/15-test_ecdsa.t +deleted file mode 100644 +index 82a85594c3..0000000000 +--- a/test/recipes/15-test_ecdsa.t ++++ /dev/null +@@ -1,12 +0,0 @@ +-#! /usr/bin/env perl +-# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +-# +-# Licensed under the OpenSSL license (the "License"). You may not use +-# this file except in compliance with the License. You can obtain a copy +-# in the file LICENSE in the source distribution or at +-# https://www.openssl.org/source/license.html +- +- +-use OpenSSL::Test::Simple; +- +-simple_test("test_ecdsa", "ecdsatest", "ec"); +diff --git a/test/recipes/15-test_mp_rsa.t b/test/recipes/15-test_mp_rsa.t +index 9271dba042..255bbbe240 100644 +--- a/test/recipes/15-test_mp_rsa.t ++++ b/test/recipes/15-test_mp_rsa.t +@@ -17,9 +17,9 @@ use OpenSSL::Test::Utils; + + setup("test_mp_rsa"); + +-plan tests => 31; ++plan tests => 30; + +-ok(run(test(["rsa_mp_test"])), "running rsa multi prime test"); ++#ok(run(test(["rsa_mp_test"])), "running rsa multi prime test"); + + my $cleartext = data_file("plain_text"); + +diff --git a/test/recipes/30-test_engine.t b/test/recipes/30-test_engine.t +deleted file mode 100644 +index 03c96cde09..0000000000 +--- a/test/recipes/30-test_engine.t ++++ /dev/null +@@ -1,18 +0,0 @@ +-#! /usr/bin/env perl +-# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +-# +-# Licensed under the OpenSSL license (the "License"). You may not use +-# this file except in compliance with the License. You can obtain a copy +-# in the file LICENSE in the source distribution or at +-# https://www.openssl.org/source/license.html +- +- +-use strict; +-use warnings; +- +-use OpenSSL::Test; +- +-setup("test_engine"); +- +-plan tests => 1; +-ok(run(test(["enginetest"])), "running enginetest"); +diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t +index 2385105b8b..c0b792d903 100644 +--- a/test/recipes/30-test_evp.t ++++ b/test/recipes/30-test_evp.t +@@ -14,7 +14,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/; + + setup("test_evp"); + +-my @files = ( "evpciph.txt", "evpdigest.txt", "evpencod.txt", "evpkdf.txt", ++my @files = ( "evpdigest.txt", "evpencod.txt", "evpkdf.txt", + "evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt", + "evpcase.txt", "evpccmcavs.txt" ); + +diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t +index 81d8f59a70..f8783f0469 100644 +--- a/test/recipes/80-test_ssl_new.t ++++ b/test/recipes/80-test_ssl_new.t +@@ -82,7 +82,7 @@ my %skip = ( + && disabled("tls1_2")) || $no_npn, + "10-resumption.conf" => disabled("tls1_1") || disabled("tls1_2"), + "11-dtls_resumption.conf" => disabled("dtls1") || disabled("dtls1_2"), +- "12-ct.conf" => $no_tls || $no_ct || $no_ec, ++ "12-ct.conf" => 1, + # We could run some of these tests without TLS 1.2 if we had a per-test + # disable instruction but that's a bizarre configuration not worth + # special-casing for. +diff --git a/test/recipes/90-test_shlibload.t b/test/recipes/90-test_shlibload.t +index 8372a61e88..383dd35581 100644 +--- a/test/recipes/90-test_shlibload.t ++++ b/test/recipes/90-test_shlibload.t +@@ -23,7 +23,7 @@ plan skip_all => "Test is disabled on AIX" if config('target') =~ m|^aix|; + plan skip_all => "Test is disabled on VMS" if config('target') =~ m|^vms|; + plan skip_all => "Test only supported in a dso build" if disabled("dso"); + +-plan tests => 10; ++plan tests => 4; + + # When libssl and libcrypto are compiled on Linux with "-rpath", but not + # "--enable-new-dtags", the RPATH takes precedence over LD_LIBRARY_PATH, +@@ -43,21 +43,21 @@ ok(run(test(["shlibloadtest", "-ssl_first", $libcrypto, $libssl, $filename])), + "running shlibloadtest -ssl_first $filename"); + ok(check_atexit($fh)); + unlink $filename; +-($fh, $filename) = tempfile(); +-ok(run(test(["shlibloadtest", "-just_crypto", $libcrypto, $libssl, $filename])), +- "running shlibloadtest -just_crypto $filename"); +-ok(check_atexit($fh)); +-unlink $filename; +-($fh, $filename) = tempfile(); +-ok(run(test(["shlibloadtest", "-dso_ref", $libcrypto, $libssl, $filename])), +- "running shlibloadtest -dso_ref $filename"); +-ok(check_atexit($fh)); +-unlink $filename; +-($fh, $filename) = tempfile(); +-ok(run(test(["shlibloadtest", "-no_atexit", $libcrypto, $libssl, $filename])), +- "running shlibloadtest -no_atexit $filename"); +-ok(!check_atexit($fh)); +-unlink $filename; ++#($fh, $filename) = tempfile(); ++#ok(run(test(["shlibloadtest", "-just_crypto", $libcrypto, $libssl, $filename])), ++# "running shlibloadtest -just_crypto $filename"); ++#ok(check_atexit($fh)); ++#unlink $filename; ++#($fh, $filename) = tempfile(); ++#ok(run(test(["shlibloadtest", "-dso_ref", $libcrypto, $libssl, $filename])), ++# "running shlibloadtest -dso_ref $filename"); ++#ok(check_atexit($fh)); ++#unlink $filename; ++#($fh, $filename) = tempfile(); ++#ok(run(test(["shlibloadtest", "-no_atexit", $libcrypto, $libssl, $filename])), ++# "running shlibloadtest -no_atexit $filename"); ++#ok(!check_atexit($fh)); ++#unlink $filename; + + sub shlib { + my $lib = shift; diff --git a/src/openssl.patch/debian.patch/series b/src/openssl.patch/debian.patch/series new file mode 100644 index 0000000..91b0ad1 --- /dev/null +++ b/src/openssl.patch/debian.patch/series @@ -0,0 +1,3 @@ +20-support-fips-test.patch +30-disable-some-evppkey-tests-for-fips.patch +40-disable-test-cases-with-fips-enabled.patch